You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2021/09/17 18:42:42 UTC

[ranger] branch master updated: RANGER-3407:Handle authorization of Hive Drop database / table if exists in RangerHiveAuthorizer when database / table doesn't exist

This is an automated email from the ASF dual-hosted git repository.

rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 885640e  RANGER-3407:Handle authorization of Hive Drop database / table if exists in RangerHiveAuthorizer when database / table doesn't exist
885640e is described below

commit 885640eaab7c2229056de41a3535a10d0418b204
Author: Ramesh Mani <rm...@cloudera.com>
AuthorDate: Fri Sep 17 10:04:43 2021 -0700

    RANGER-3407:Handle authorization of Hive Drop database / table if exists in RangerHiveAuthorizer when database / table doesn't exist
---
 .../hive/authorizer/RangerHiveAuthorizer.java      | 113 ++++++++++++++++++++-
 1 file changed, 110 insertions(+), 3 deletions(-)

diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index e0934de..42837cd 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -995,9 +995,16 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 				}
 			}
 
-			if (CollectionUtils.isEmpty(requests) && !IsCommandInExceptionList(hiveOpType)) {
-				String commandString = context == null ? "" : context.getCommandString();
-				throw new HiveAccessControlException(String.format("Unable to authorize command: [%s] , HivePrivilegeObjects are not available to authorize this command!", commandString));
+			if (CollectionUtils.isEmpty(inputHObjs) && CollectionUtils.isEmpty(outputHObjs) && !IsCommandInExceptionList(hiveOpType)
+					&& (hiveOpType.equals(HiveOperationType.DROPDATABASE) || hiveOpType.equals(HiveOperationType.DROPTABLE)))  {
+					//Handle Drop If exists statements where both inputHObjs and outputHObjs will be empty and request has to created out of commandString.
+					RangerHiveAccessRequest request = buildRequestForDropIfExistsCommands(hiveOpType, user, groups, roles, hiveOpType.name(), context, sessionContext);
+					if (request != null) {
+						requests.add(request);
+					}
+				} else {
+					String commandString = context == null ? "" : context.getCommandString();
+					throw new HiveAccessControlException(String.format("Unable to authorize command: [%s] , HivePrivilegeObjects are not available to authorize this command!", commandString));
 			}
 
 			buildRequestContextWithAllAccessedResources(requests);
@@ -2548,6 +2555,72 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		return requestedResources;
 	}
 
+	private RangerHiveAccessRequest  buildRequestForDropIfExistsCommands(HiveOperationType       hiveOpType,
+																		 String                  user,
+																		 Set<String>             userGroups,
+																		 Set<String>             userRoles,
+																		 String                  hiveOpTypeName,
+																		 HiveAuthzContext        context,
+																		 HiveAuthzSessionContext sessionContext) {
+		RangerHiveAccessRequest request = null;
+
+		switch (hiveOpType) {
+			case DROPDATABASE:
+				request = buildRequestForDropDatabaseIfExistsCommands(user,userGroups,userRoles,hiveOpTypeName,context,sessionContext);
+				break;
+
+			case DROPTABLE:
+				request = buildRequestForDropTableIfExistsCommands(user,userGroups,userRoles,hiveOpTypeName,context,sessionContext);
+				break;
+		}
+
+		return request;
+	}
+
+	private RangerHiveAccessRequest buildRequestForDropDatabaseIfExistsCommands(String                  user,
+																				Set<String>             userGroups,
+																				Set<String>             userRoles,
+																				String                  hiveOpTypeName,
+																				HiveAuthzContext        context,
+																				HiveAuthzSessionContext sessionContext) {
+		RangerHiveResource		resource  = null;
+		RangerHiveAccessRequest request   = null;
+		HiveObj hiveObj  = new HiveObj();
+		hiveObj.fetchHiveObjForDropDatabase(context);
+		String dbName    = hiveObj.getDatabaseName();
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("Database: " + dbName);
+		}
+		if (dbName != null) {
+			resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName, null);
+			request = new RangerHiveAccessRequest(resource, user, userGroups, userRoles, hiveOpTypeName, HiveAccessType.DROP, context, sessionContext);
+		}
+		return request;
+	}
+
+
+	private RangerHiveAccessRequest buildRequestForDropTableIfExistsCommands(String                  user,
+																			 Set<String>             userGroups,
+																			 Set<String>             userRoles,
+																			 String                  hiveOpTypeName,
+																			 HiveAuthzContext        context,
+																			 HiveAuthzSessionContext sessionContext) {
+		RangerHiveResource 		resource  = null;
+		RangerHiveAccessRequest request   = null;
+		HiveObj hiveObj  = new HiveObj();
+		hiveObj.fetchHiveObjForDropTable(context);
+		String dbName    = hiveObj.getDatabaseName();
+		String tableName = hiveObj.getTableName();
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("Database: " + dbName + " Table: " + tableName);
+		}
+		if (dbName != null && tableName != null) {
+			resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, tableName);
+			request  = new RangerHiveAccessRequest(resource, user, userGroups, userRoles, hiveOpTypeName, HiveAccessType.DROP, context, sessionContext);
+		}
+		return request;
+	}
+
 	private boolean isBlockAccessIfRowfilterColumnMaskSpecified(HiveOperationType hiveOpType, RangerHiveAccessRequest request) {
 		boolean            ret      = false;
 		RangerHiveResource resource = (RangerHiveResource)request.getResource();
@@ -3205,6 +3278,8 @@ class HiveObj {
 	String databaseName;
 	String tableName;
 
+	HiveObj() {}
+
 	HiveObj(HiveAuthzContext context) {
 	 fetchHiveObj(context);
 	}
@@ -3237,6 +3312,38 @@ class HiveObj {
 		}
 	}
 
+	public void fetchHiveObjForDropDatabase(HiveAuthzContext context) {
+		// cmd passed: drop database if exists <db>
+		if (context != null) {
+			String cmdString = context.getCommandString();
+			if (cmdString != null) {
+				String[] cmd = cmdString.trim().split("\\s+");
+				if (!ArrayUtils.isEmpty(cmd) && cmd.length > 3) {
+					databaseName = cmd[4];
+				}
+			}
+		}
+	}
+
+	public void fetchHiveObjForDropTable(HiveAuthzContext context) {
+		// cmd passed: drop table if exists <db.table> or drop database if exists <table>
+		if (context != null) {
+			String cmdString = context.getCommandString();
+			if (cmdString != null) {
+				String[] cmd = cmdString.trim().split("\\s+");
+				if (!ArrayUtils.isEmpty(cmd) && cmd.length > 3) {
+					tableName = cmd[4];
+					if (tableName.contains(".")) {
+						String[] result = splitDBName(tableName);
+						databaseName = result[0];
+						tableName = result[1];
+					}
+				}
+			}
+		}
+	}
+
+
 	private String[] splitDBName(String dbName) {
 		String[] ret = null;
 		ret = dbName.split("\\.");